Bug 1558862

Summary: [REF] The ASB should support private registry
Product: OpenShift Container Platform Reporter: Jian Zhang <jiazha>
Component: Service BrokerAssignee: Dylan Murray <dymurray>
Status: CLOSED ERRATA QA Contact: Jian Zhang <jiazha>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.9.0CC: aos-bugs, chezhang, dmoessne, dymurray, jiazha, jmatthew
Target Milestone: ---   
Target Release: 3.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-30 19:10:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jian Zhang 2018-03-21 07:33:41 UTC
Description of problem:
Recently, we need to use the private registry(especially on GCE cluster). But, the ASB does not support that at present.
So, I think the ASB should support the private registry for users.

Version-Release number of selected component (if applicable):
The ASB version: 1.1.16

How reproducible:
Always

Steps to Reproduce:
1, Config the ASB with a private registry. For example(I couldn't find a suitable type now),

registry:
  - type: xxx
    name: xxx
    url:  registry.reg-aws.openshift.com:443
    org:  openshift3
    tag:  v3.9
    white_list: [.*-apb$]
    user: xxx
    pass: xxx


Actual results:

Got below erros as expect:
[2018-03-21T06:18:28.749Z] [DEBUG] - Using registry.reg-aws.openshift.com:443 to source APB images using query:"*-apb"
[2018-03-21T06:18:28.749Z] [ERROR] - unable to retrieve image names for registry rh - Get registry.reg-aws.openshift.com:443/v1/search?q="*-apb": unsupported protocol scheme "registry.reg-aws.openshift.com"
[2018-03-21T06:18:28.749Z] [WARNING] - registry: 0x14c6fc0 was unable to complete bootstrap - Get registry.reg-aws.openshift.com:443/v1/search?q="*-apb": unsupported protocol scheme "registry.reg-aws.openshift.com"


Expected results:
The ASB can support the private registry well.

Additional info:

Comment 1 John Matthews 2018-03-21 12:47:02 UTC
Jian,

The main issue is that openshift registry implementation does not support the Catalog API in docker registry v2.  Without this we are limited in the functionality we can obtain discovering APBs.

There is a trello card on dev-exp to implement catalog api here:
  https://trello.com/c/AZINw5qI

BZ is tracked here:
  https://bugzilla.redhat.com/show_bug.cgi?id=1509084

Assuming that catalog api is not available, we do have a workaround with current Broker code.  We need to explicitly list the APB images we want the registry adapter to support in the config entry.

Documentation is here showing how this works:
https://github.com/openshift/ansible-service-broker/blob/master/docs/config.md#openshift-registry

Please try the documentation out and see if this is sufficient for your immediate needs.  If this works for you I would recommend we close this BZ.

Comment 3 Dylan Murray 2018-03-22 13:43:13 UTC
Jian,

I can clear something up here. The `openshift` registry currently only connects to the ISV registry (registry.connect.redhat.com). I am working on a PR to fix https://bugzilla.redhat.com/show_bug.cgi?id=1558472 which I hope will also give improvements to this bug. I believe my PR should resolve both of these.

Comment 4 Jian Zhang 2018-03-23 01:45:02 UTC
Dylan,

Thank you for your clarification! I also believe your PR can fix that `openshift` registry issue. But, I don't think it will work for this bug, because as you said, it only connects to the registry.connect.redhat.com.

For this [REF] bug, our expectation is that the ASB should support the user's private registry, which is configurable. Not limit it to the registry.connect.redhat.com.

Comment 5 Dylan Murray 2018-03-23 01:55:06 UTC
Jian,

Yes part of my PR is to remove the requirement on registry.connect.redhat.com. My PR will assume a generic openshift registry and retrieve the authentication redirect header to grab a bearer token. It will take the users configured URL and add /v2/ as a suffix to get the authentication header.

I *hope* that this will work for any registry that supports the v2 docker registry API, including any users private registry.

Comment 6 Jian Zhang 2018-03-23 02:49:51 UTC
Dylan,

That's good! Thanks!

Comment 7 Zhang Cheng 2018-03-23 07:53:50 UTC
Dylan,

Can we use a trello card to trace this new requirement? or use existing card https://trello.com/c/NaNlxsPo

Comment 8 Dylan Murray 2018-03-26 16:50:29 UTC
Zhang,

Sounds good, I will track testing of this registry in that card. Thanks!

Comment 18 errata-xmlrpc 2018-07-30 19:10:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816